By Matthew Svensson, Senior Security Engineer at BetterCloud

If you read the prior blog post, How to dynamically correlate Google Cloud Compute Engine instance network traffic using Chronicle, you understand how we can dynamically correlate IP addresses in network traffic logs, like Zeek, to the cloud compute instance hostname.

The next problem we have to solve is how we can create alerts on these data to identify when a cloud instance reaches out to a new domain.

To get a list of unique domains, you COULD take all of the Zeek http.log and ssl.log files, put them into a SIEM…


Following up from last week’s blog post on why network security telemetry matters today, our guest author Matt Svensson, a Senior Security Engineer at BetterCloud, discusses how you can use Chronicle to dynamically correlate IP addresses in network traffic logs — like Zeek — to events on Compute Engine instances.

By Matthew Svensson, Senior Security Engineer at BetterCloud

Cloud infrastructure has made it operationally simple to scale your application and run rolling updates to instances with no downtime.

This has also made network visibility a seemingly unsolvable headache. Even if you are doing traffic mirroring and creating Zeek logs, cloud…


By Anton Chuvakin — Head of Solutions Strategy at Chronicle

Chronicle recently hosted a very well-attended webinar with ISACA focused on the characteristics of a modern SOC (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and would like to follow up on these and highlight some of the answers.

Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

A: Skills such as threat hunting, threat intelligence, and data analytics are key characteristics of a modern SOC. While these…


By Anton Chuvakin (originally posted at Anton on Security)

While we may live in an endpoint security era, the need for network data analysis today has not vanished. As we discussed during a recent webinar with Chronicle partner Corelight, this is not about competing with endpoint or arguing about what security telemetry is “better” — this is about reminding the security leaders and professionals that your network telemetry matters. This was not only the case in the 1980s (when tcpdump was born), 1990s, 2000s, 2010s, but also today in the 2020s.

To summarize, network security monitoring still matters because you…


Today we’re excited to announce Google Cloud Threat Intelligence for Chronicle, a new applied threat intelligence service available to Chronicle customers. This new service surfaces highly actionable threats in Chronicle environments based on Google’s collective insight and research into Internet-based threats. Using Threat Intelligence for Chronicle, security teams can take advantage of a curated, high fidelity threat intelligence service that allows you to focus on real threats in the environment and accelerate your response time.

See high fidelity threat indicators in your environment, validated hands-on by threat researchers

Threat Intel for Chronicle is exclusively curated for enterprise customers by Uppercase…


The Chronicle team is excited to release new SOC Prime detection rules, now available to use in the Chronicle Detect rules engine. SOC Prime Threat Detection Marketplace is the industry standard one-stop shop for Detection as Code operations and practices, offering access to detection signatures across multiple languages. This new set of detection content makes it simple for security teams to incorporate and build new threat detection rules, and apply them across all the security telemetry stored in Chronicle.

The capabilities of the Chronicle Detect rules engine are accessed using the YARA-L threat detection language which was designed by and…


(By Anton Chuvakin and originally posted at Anton on Security)

One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate.
Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!) — examples, examples, examples.

Anton’s old SIEM presentation from 2012 (source, date: 2012)

Before we go, we need to separate the SIEM tool operation difficulties from the SIEM mission difficulties. To remind, the mission that the…


As more organizations embrace hybrid, multi-cloud environments and a work-from-anywhere model, security teams are realizing they operate in the “age of expansion.” More technology and data assets to secure, more telemetry data to analyze, more security tools to manage, more alerts to sort, and — in turn — more threats to defend against. This compounding threat environment has security teams asking, how do we focus on the threats that matter the most?

To position security teams to better handle their security posture and make faster security decisions across multiple layers of the organization, we’re excited to announce that Google Cloud…


As enterprises look to more efficiently manage the incident response process, Security Orchestration, Automation, and Response (SOAR) platforms have steadily gained traction. These tools help SOC teams speed up security operations and create consistency when it comes to responding to security threats.

To help customers take advantage of their incident response toolkit, Chronicle now offers SOC playbook and orchestration-ready APIs and integrations with leading SOAR vendors such as D3 Security, IBM, Palo Alto Networks, ServiceNow, Siemplify, Splunk, and Swimlane. …


By Anton Chuvakin (originally posted at Anton on Security)

Back in August, we released our first Google/Chronicle — Deloitte Security Operations Center (SOC) paper titled “Future of the SOC: Forces shaping modern security operations” (launch blog, paper PDF) and promised a series of three more papers covering SOC people, process and technology.

Here is the next paper “Future of the SOC: SOC People — Skills, Not Tiers” (PDF) and you can easily guess it focuses on the PEOPLE aspect of the SOC. …

Chronicle

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store